Secure Any Device Access with VXI

Available Languages

Download Options

Cisco Virtualization Experience Infrastructure (VXI) is core pillar of Cisco strategy to provide secure access to any service, on any device, from anywhere.

Background

Like many IT organizations, Cisco IT needs to support changing work styles, especially the use of employee-owned devices for work. To address this need, Cisco IT has launched a multiyear "Any Device" initiative intended to satisfy employee demand for flexibility while meeting Cisco IT's cost and security requirements. Any Device is part of the Cisco Unified Workspace strategy for making all of an employee's productivity and collaboration tools (the workspace) available anywhere, and to any device.

One of the pillars of the Any Device initiative is virtual desktop infrastructure (VDI), also known as desktop virtualization. VDI refers to hosting virtual desktops on centralized storage and servers to give employees a full desktop experience from a choice of client devices, including thin or zero clients, company-owned laptops or ultrabooks, and personal devices, including tablets.

Cisco IT strives to continually lower the total cost of ownership (TCO) for desktops. "We significantly lowered TCO when we centralized IT support for branch offices," says Richard Whitmarsh, Cisco IT manager for network services delivery. "Our next target was desktop hardware and support costs."

In addition to lowering TCO, Cisco IT wanted to strengthen protection of intellectual property. "The vast majority of many companies' intellectual property is on laptops," Whitmarsh says. Almost all onsite workers at Cisco, both permanent and temporary, are given a laptop as their primary compute device. The same is true for many of the 18,000 employees of Cisco's offshore development partners, who are given laptops or desktops.

Cisco IT also wanted to accelerate onboarding of new employees from acquired companies. When acquisitions close rapidly, employees sometimes do not receive their new laptop the first day of work, hampering productivity and slowing down integration of the acquired company.

Approximately one in ten Cisco employees, a total of about 7000, have two or more corporate-owned laptops. Replacing one with a virtual desktop would significantly lower capital costs. Employees would be able to connect to the virtual desktop from a personal tablet. "Many Cisco employees actually prefer using a personal device for work," says Whitmarsh. "To support a BYOD [Bring Your Own Device] policy, we needed to provide a persistent desktop that employees could access from anywhere, with any device."

Opportunity 2: Eliminating Laptop Costs in Extranet Partner Sites

Cisco has approximately 18,000 extranet users, primarily global partners with facilities that are dedicated to Cisco. Cisco IT provides laptops and desktops, network equipment, and collaboration services such as Cisco® Unified Communications. Laptop TCO is relatively high for extranet partners, because Cisco IT replaces laptops every three years and also keeps spares in stock so that new employees can begin working right away. "Unless we made a change, one of our partner sites in India would have needed 4000 new laptops by July 2012, including 2800 replacements and 1200 for new employees," says Prosenjit Bhattacharjee, Cisco IT program manager.

Solution

Cisco IT capitalized on both opportunities (eliminating a second company-owned laptop for Cisco employees and eliminating laptop costs for offshore development partners) by implementing the Cisco VXI Smart Solution (Figure 1). Employees in the two programs can use any device, including a Cisco Virtualization Experience Client (VXC) or tablet, to access their virtual desktop. Employees using the pilot version of Cisco VXC can access voice and video services as well as their virtual desktops.

"VDI will help transform the way work will be done globally, both within our enterprise and with our partner ecosystem," says VC Gopalratnam, vice president of Cisco IT and CIO for globalization. "It will provide for better control over intellectual property and access privileges, and improve operational excellence."

Figure 1. Cisco VXI Smart Solution

Cisco IT based the Cisco VXI architecture on the Cisco Validated Design for Citrix (Table 1).

Table 1. Solution Components

VXI Component

Solution

Server

Cisco UCS B230 M2 Blade Servers

Hypervisor

VMware ESXi

Desktop Virtualization Software

Citrix XenDesktop version 5.6

OS Image

Windows 7 (current)

Windows 8 (planned)

Load Balancing

Cisco ACE Application Control Engine

WAN Optimization

Cisco Wide Area Application Services (WAAS) 4.5, currently in pilot.

Virtual Switch

Cisco Nexus 1000V

Sizing

Cisco IT designed the Cisco VXI pod to support 2000 users. The pod contains 20 Cisco B230 M2 Blade Servers, each with 256 GB RAM. Each server can support 100 virtual desktop sessions with 2.5 GB RAM per session, as well as 10 additional sessions if another server should fail. To calculate the number of sessions each server could support, Cisco IT used Liquidware Labs Stratusphere software to measure processing, memory, and disk input/output operations per second (IOPS) for a physical desktop at Cisco. "We configured the architecture to support 25 IOPS compared to the industry average of 15-18 IOPS," says James Turner, IT engineer and technical lead for the Cisco VXI implementation. Over time, Cisco IT expects to further reduce virtual machine (VM) processing and memory requirements by using a third-party antivirus agent that uses only 20 MB per session, compared to 100-120 MB for a traditional antivirus solution.

Storage

Storage considerations were central to the Cisco VXI design, because storage is the least scalable and most expensive element, according to Turner. A NetApp FAS6280 Filer will support the first 2000 users, based on the virtual desktop configurations of 2.5 GB RAM and 40 GB disk space consuming 25 IOPS. Cisco IT sized storage for work-related content only, and blocks music and non work-related video files. About half of each desktop image, or 20 GB, is available for storage. To provide more storage, Cisco IT is in the process of integrating the private storage cloud, called S-Cloud
, with the Cisco VXI.

Access Control

Cisco IT previously restricted extranet partners' access to the Cisco network using access control lists (ACLs) on the Cisco Integrated Services Router (ISR) at the partner site. Some ACLs contained up to 35,000 lines of code, making them time-consuming to maintain. The complexity resulted in part from the use of whitelists to specify the many allowed URLs for developers.

In conjunction with the VDI deployment, Cisco IT began maintaining blacklists blocking critical resource domains that are never allowed, such as executives' laptops and core production resources. "Moving from whitelists to blacklists has reduced the size of our ACLs by about 75 percent," says Prosenjit . "This lowers resource requirements and costs for new partner sites by 20-25 percent."

Client Devices

Employees at the offshore development partner connect to hosted virtual desktops using a Cisco VXC 2200, a standalone zero client. Employees at Cisco offices connect using a variety of devices, depending on their job requirements:

• Personal devices, including tablets: Employees using personal devices can work with their virtual desktop but currently cannot access voice and video services with an acceptable user experience. When Cisco IT deploys Cisco VXC 4000 software, employees who use personal Windows devices will also be able to access Cisco voice and video services. A media engine on the Cisco VXC 4000 intelligently routes voice traffic to Cisco Unified Communications Manager (Figure 2). "Voice on traditional VDIs is not enterprise quality because it goes through the data center," says Stuart Hollingsworth, Cisco IT program manager. "In contrast, voice quality on the Cisco VXC 4000 software appliance and Cisco VXC 6215 thin client is excellent, because it travels point to point, just as it does with standard IP phones."

Figure 2. Voice Traffic Travels Point to Point Instead of Through Data Center, for Enterprise Quality

• Cisco VXC 6215: Shift workers in a pilot program have been using this client, which handles voice and video traffic in the same way as the Cisco VXC 4000 (Figure 3). When new employees arrive for their shifts, they log on to receive their own desktop.

• Cisco VXC 2100: Lobby Ambassadors in a pilot program use this model, which connects to a Cisco Unified IP Phone 9950 or 9970 to combine the functions of a traditional PC and IP phone in a unified form factor.

Figure 3. Cisco VXC 6215 (Left) and VXC 2100 (Right)

WAN Optimization

To provide a high-quality user experience for Citrix XenDesktop over the WAN, Cisco IT is implementing Cisco Wide Area Application Services (WAAS). Cisco WAAS accelerates application performance and can support up to twice as many concurrent Citrix users. When Cisco IT implements Cisco WAAS 5.0 throughout the network, both media traffic and display protocol traffic will be optimized. Only the media traffic is optimized currently.

Design Decisions

Cisco IT made the following design decisions for Cisco VXI:

• Stateful instead of stateless desktops: A stateful desktop, also called a persistent desktop, is reserved for a particular employee. A stateless desktop, in contrast, uses data center resources only when an employee is logged on. "Although a stateless design uses fewer resources, and therefore costs less, we decided to start with fully persistent desktops to become familiar with VXI technology, economic factors, and support models," Whitmarsh says. Cisco IT is currently developing the profile management, content virtualization, and application virtualization processes needed for stateless desktops.

• Separating VDI traffic from other data center traffic: Cisco IT needed to make sure that desktop traffic would not degrade the performance of critical data center applications such as cisco.com and enterprise resource planning (ERP) tools. Therefore, the virtual desktop sessions themselves operate on dedicated compute and storage resources, behind their own switches. The sessions access Cisco VXI application servers that are deployed as part of Cisco's standard virtual server farms, and these servers broker connection client requests for a VXI session. "The Cisco VXI effectively operates as a campus network within the data center, subject to campus switching and QoS policies but separate from the core data center network," says Turner.

• Wired and wireless access: Personal devices and Cisco VXC endpoints connect to virtual desktops through a Cisco Catalyst® 6500 Switch, Cisco IT's standard for desktops. The IT team is in the process of certifying the Cisco Nexus® 7000 as a desktop switch.

Selecting Users

Cisco IT has provisioned virtual desktops for 2000 users so far. "Early adopters have told us they love the freedom," says Christensen. "The desktop is always on, and always available from any device."

The first users at Cisco include:

• Employees with two or more laptops: Many of these are sales and support engineers and developers. "Development and test are good use cases for desktop virtualization, because developers and test engineers don't need to spend time refreshing their desktops after installing a lot of software," says Turner.

• Mac users: Cisco employees can choose a Windows or Mac laptop, but Cisco IT provides support for Windows laptops only. Seventy percent of the employees participating in the pilot have a Mac. Previously they used VMware Fusion to operate Windows applications. Now they no longer need Fusion, because Macs can access the Windows virtual desktop through the Citrix Receiver client. "The appeal of Cisco VXI to Mac users is to bridge the divide between their preferred platform and Cisco's standard Windows laptop," Whitmarsh says, noting that future releases of Microsoft Exchange may reduce that need.

• Interns: "Within the IT organization, 20 summer interns were set up a virtual desktop and became productive within minutes," says John Manville, vice president of Global Infrastructure Services for Cisco. "In addition, we avoided committing to a costly 36-month laptop lease."

Cisco IT has successfully completed a desktop virtualization pilot with 250 employees of an extranet partner in India with 6500 total employees. The pilot users, including developers, test engineers, and support engineers in two facilities, traded their laptop for a Cisco VXC 2200 (soon to be replaced with the Cisco VXC 6225) that they use to work with their virtual desktop and to use voice and Cisco WebEx® services.

• Lower desktop TCO: Cisco VXCs contain no moving parts, increasing desktop client lifespan from three years to five-eight years. Operating system and application upgrades occur online without human intervention, and all users work from one image. "Instead of refreshing the laptop fleet every three years, we spend just one quarter testing new applications in the VXI environment," Prosenjit says. Cisco IT had already dramatically reduced desktop support costs by eliminating local support costs, and Cisco VXI reduced TCO by another 8-10 percent.

• Faster onboarding of new employees: An unforeseen benefit of Cisco VXI is that developers become productive four to five weeks sooner. "We pay for developers as soon as they are hired, but in the past they couldn't become fully productive until they received a laptop, sometimes weeks after their start date," Prosenjit says. "Now a virtual desktop is created automatically along with the Active Directory user name." The Cisco VXI Smart Solution also helps to reduce inventory requirements and simplifies asset management at the partner location.

• Flexibility to work from anywhere: Previously, developers and test engineers could only access the network from the office, not from home. Now Cisco IT can confidently allow partner employees to work from anywhere because the environment remains within Cisco.

• Increased application performance: Cisco VXI is faster and more reliable than local desktops, partly because the environment is centrally managed. And unlike laptops, Cisco VXCs do not slow down over time because of repeated operating system patches, cookie proliferation, and so on.

Increased Productivity

In a survey of Cisco VXI users conducted by Cisco IT, 61 percent of respondents reported an increase in productivity, an average of 69 minutes weekly. They said the main benefit of VXI was being able to connect to a persistent desktop from multiple devices. "When I log in from any device, the spreadsheet I'm working on is right there, just as I left it the last time," Manville says.

In addition, employees of acquired companies now receive their desktop up to a week faster, becoming fully productive more quickly. "Even with our current manual process, Cisco IT can respond to a request for a virtual desktop in less than 24 hours, and fulfill urgent requests within minutes," says Whitmarsh. "That's compared to 5-10 days before we had Cisco VXI."

Lessons Learned

Cisco IT shares the following lessons learned for other organizations planning their own Cisco VXI programs:

• Make sure you know all applications that the target employees use. Task workers, in particular, often do not have the latest application versions. During the pilot, Cisco IT discovered that some applications required Windows XP, not Windows 7, and that the finance team still uses certain older Oracle applications. Keep in mind that users' self-reporting of application use is not always accurate. At Cisco, for example, certain employees used Cisco WebEx and Cisco Jabber™ (formerly Cisco Unified Personal Communicator) more than they realized. To use these collaboration applications with acceptable user performance, they need a Cisco VXC 4000 or VXC 6215.

• Test application compatibility with the desktop virtualization software. During testing, Cisco IT discovered that certain client-server applications did not perform well in a virtual desktop environment.

• Decide whether the data center team or desktop team should own the program. "Initially, the desktop team took the lead with the VXI deployment and worked to get the attention of the data center team," says Whitmarsh. "After we transferred responsibility to the data center team, progress accelerated, and the pilot was operating after just three months. Our experience validated Gartner's observation that VDI is currently being driven by data center teams." Gartner also predicts that VDI will eventually return to desktop teams.

• Prepare for collaboration among different IT teams that previously did not work together. Cisco VXI affects multiple Cisco IT teams, including networking, data center, desktop, security, unified communications, and video services. These groups have been relatively autonomous at Cisco, and Cisco VXI requires them to collaborate for the first time.

• Revisit policies about personal software. Cisco IT does not restrict the software that employees can use on their laptops, so some use music players like iTunes. "Cisco VXI is an extension of the desktop, so we currently have the same software usage policies," Turner says. "However, we are reconsidering because if an employee uses iTunes from VXI, performance might slow down in some situations."

• Determine if you need different-sized pods for different locations. Cisco IT might design a 500-user pod for smaller locations where the current 2000-user pod would not be cost-effective.

• Make sure employees understand the benefits of virtual desktops. "Some of our users were very excited, while others wanted to know why we were taking away their laptops," says Hollingsworth. Cisco IT blogged about the program in online communities and emailed setup instructions. Monitor usage to determine if employees initially need encouragement from their managers.

Next Steps

By July 2012, approximately 4000 employees of the extranet partner in India will access virtual desktops. The deployment to engineering users might take longer, because Cisco IT wants to test the complete engineering stack in the Cisco VXI environment.

In addition, Cisco IT expects to provide virtual desktops to 10,000 internal users by March 2013. The majority will be given a Cisco VXC endpoint or Cisco VXC 4000 software appliance. Pilots are currently under way for human resources, helpdesks, travel desks, and lobby ambassadors. Other user groups being considered for virtual desktops include short-term consultants, contractors and vendors, and employees of acquired companies who will be able to use existing devices with Cisco VXC 4000 software until they receive a Cisco device.

• Virtualizing applications. Instead of including applications in the desktop image, Cisco IT plans to stream applications to the virtual desktop.

• Automating provisioning of the Cisco VXC 4000 software appliance using Cisco Process Orchestrator, part of the Cisco Intelligent Automation for Cloud portfolio. The first time employees connect to their virtual desktop with either a company-owned or personal device, the Cisco ISE will authenticate the user and then deliver the software for installation.

Cisco IT continues to deploy other Smart Solutions that are part of the Cisco Unified Workspace strategy and relevant to Cisco's internal business and technical challenges.

For More Information

To learn more about the Cisco Virtualization Experience Infrastructure, visit:
www.cisco.com/go/vxi.

To read additional Cisco IT case studies on a variety of business solutions, visit Cisco on Cisco: Inside Cisco IT
www.cisco.com/go/ciscoit.

Note

This publication describes how Cisco has benefited from the deployment of its own products. Many factors may have contributed to the results and benefits described; Cisco does not guarantee comparable results elsewhere.

CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.